[libvirt] [PATCH 2/5] Log taint warnings in QEMU driver
Eric Blake
eblake at redhat.com
Thu May 5 20:55:14 UTC 2011
On 05/05/2011 05:51 AM, Daniel P. Berrange wrote:
> Wire up logging of VM taintint to the QEMU driver
s/taintint/tainting/
>
> - If running QEMU as root user/group or without capabilities
> being cleared
> - If passing custom QEMU command line args
> - If issuing custom QEMU monitor commands
> - If using a network interface config with an associated
> shell script
> - If using a disk config relying on format probing
>
> The warnings, per-VM appear in the main libvirtd logs
>
> 11:56:17.571: 10832: warning : qemuDomainObjTaint:712 : Domain id=1 name='l2' uuid=c7a3edbd-edaf-9455-926a-d65c16db1802 is tainted: high-privileges
> 11:56:17.571: 10832: warning : qemuDomainObjTaint:712 : Domain id=1 name='l2' uuid=c7a3edbd-edaf-9455-926a-d65c16db1802 is tainted: disk-probing
>
> The taint flags are reset when the VM is stopped.
>
> * src/qemu/qemu_domain.c, src/qemu/qemu_domain.h: Helper APIs
> for logging taint warnings
> * src/qemu/qemu_driver.c: Log tainting with custom QEMU monitor
> commands and disk/net hotplug with unsupported configs
> * src/qemu/qemu_process.c: Log tainting at startup based on
> unsupported configs
> +++ b/src/qemu/qemu_driver.c
> @@ -3877,6 +3877,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm,
>
> switch (dev->type) {
> case VIR_DOMAIN_DEVICE_DISK:
> + qemuDomainObjCheckDiskTaint(driver, vm, dev->data.disk);
> ret = qemuDomainAttachDeviceDiskLive(driver, vm, dev);
Do we really want to issue the taint message before attempting the
attach? Or are we still safe if you perform the attach first, and issue
the taint message only on success?
> if (!ret)
> dev->data.disk = NULL;
> @@ -3889,6 +3890,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm,
> break;
>
> case VIR_DOMAIN_DEVICE_NET:
> + qemuDomainObjCheckNetTaint(driver, vm, dev->data.net);
> ret = qemuDomainAttachNetDevice(dom->conn, driver, vm,
Likewise.
On second thought - we can't guarantee if failure happened before a disk
was probed, or after, so I guess doing unconditional taint is the
conservatively safe approach, and the whole point of this is
conservative safety even if it lets through some false positives.
So, ACK.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110505/3961b20c/attachment-0001.sig>
More information about the libvir-list
mailing list